The vulnerability CVE-2025-64517 affects sudo-rs, a Rust-based memory-safe implementation of sudo and su. When configured with 'Defaults targetpw' or 'Defaults rootpw', sudo-rs is supposed to require the password of the target or root account for authentication. However, in versions 0.2.5 up to but not including 0.2.10, sudo-rs incorrectly records the invoking user's UID in the authentication timestamp rather than the authenticated target user's UID. This timestamp is used to bypass subsequent authentication prompts within a valid session window. Consequently, a user with high privileges who knows the password of one allowed account can exploit this flaw to run commands as any other account permitted by the sudo policy without needing their passwords. This undermines the security model intended by the 'targetpw' and 'rootpw' options, which are designed to enforce stricter authentication requirements. The flaw does not impact versions before 0.2.5, as these did not support the relevant options, and was fixed in version 0.2.10. The vulnerability requires local access with elevated privileges (PR:H), no user interaction, and has a local attack vector (AV:L). It impacts integrity but not confidentiality or availability. No public exploits have been reported so far.

For European organizations, this vulnerability poses a risk primarily in environments where sudo-rs is deployed with 'targetpw' or 'rootpw' enabled and where users have elevated privileges to run commands as other users. The flaw could allow privilege escalation or lateral movement within systems by bypassing intended authentication controls, potentially leading to unauthorized command execution under different user contexts. This could compromise system integrity and trust boundaries, especially in critical infrastructure, financial institutions, or government agencies that rely on strict access controls. While the vulnerability does not directly impact confidentiality or availability, the ability to execute commands as other users could facilitate further attacks or data manipulation. The medium severity reflects the need for local privileged access, limiting remote exploitation but still posing a significant risk in multi-user or shared environments common in enterprise Linux deployments across Europe.

Organizations should immediately upgrade sudo-rs to version 0.2.10 or later, where the issue is patched. Until upgrading, administrators should consider disabling 'Defaults targetpw' and 'Defaults rootpw' options if feasible, or restrict sudo-rs usage to trusted users only. Implement strict monitoring of sudo usage logs to detect anomalous command executions or unexpected user context switches. Employ multi-factor authentication and strong password policies to reduce the risk of credential compromise. Additionally, review and tighten sudo policies to minimize the number of users with elevated privileges and limit the commands they can execute. Conduct regular audits of sudo configurations and authentication timestamp behaviors. For environments where sudo-rs is critical, consider isolating affected systems or using alternative privilege escalation tools that do not exhibit this vulnerability until patched.